6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
25.2%
A cleartext transmission of sensitive information vulnerability exists in
curl <v7.88.0 that could cause HSTS functionality to behave incorrectly
when multiple URLs are requested in parallel. Using its HSTS support, curl
can be instructed to use HTTPS instead of using an insecure clear-text HTTP
step even when HTTP is provided in the URL. This HSTS mechanism would
however surprisingly fail when multiple transfers are done in parallel as
the HSTS cache file gets overwritten by the most recentlycompleted
transfer. A later HTTP-only transfer to the earlier host name would then
not get upgraded properly to HSTS.
Author | Note |
---|---|
mdeslaur | introduced in 7.77 same commits as CVE-2023-23914 |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
25.2%